Wireshark-bugs: [Wireshark-bugs] [Bug 8197] PER dissector crash

Date: Wed, 16 Jan 2013 03:37:10 +0000

changed bug 8197

What Removed Added
CC   [email protected]

Comment # 9 on bug 8197 from
I get the crash in Fedora 17.  Valgrind complains thus:

~~~
==1239== Command: /home/morriss/Projects/wireshark/source2/.libs/lt-tshark -Vx
-nr /tmp/fuzz-8197.pcap
==1239== 
==1239== Invalid read of size 1
==1239==    at 0x4104D5: print_hex_data_buffer (print.c:997)
==1239==    by 0x411E48: print_hex_data (print.c:915)
==1239==    by 0x4197B6: print_packet (tshark.c:3589)
==1239==    by 0x41AFAD: process_packet (tshark.c:3198)
==1239==    by 0x40DE9A: main (tshark.c:2978)
==1239==  Address 0x9216800 is 0 bytes inside a block of size 1 free'd
==1239==    at 0x4A07786: free (vg_replace_malloc.c:446)
==1239==    by 0x35ACC4D50E: g_free (in /usr/lib64/libglib-2.0.so.0.3200.4)
==1239==    by 0x613ECDB: emem_free_all (emem.c:1239)
==1239==    by 0x6141828: epan_dissect_run_with_taps (epan.c:218)
==1239==    by 0x41AEAC: process_packet (tshark.c:3181)
==1239==    by 0x40DE9A: main (tshark.c:2978)
==1239== 
==1239== Invalid read of size 8
==1239==    at 0x613F44D: sl_alloc (string3.h:52)
==1239==    by 0x610EF4F: proto_tree_set_representation_value (proto.c:3610)
==1239==    by 0x615FB9D: proto_tree_add_uint_format_value (proto.c:2994)
==1239==    by 0x614243F: expert_add_info_format (expert.c:192)
==1239==    by 0x62451F1: dissect_ber_set (packet-ber.c:2883)
==1239==    by 0x662EED1: dissect_pres (pres.cnf:321)
==1239==    by 0x6149067: call_dissector_through_handle (packet.c:458)
==1239==    by 0x614990C: call_dissector_work (packet.c:549)
==1239==    by 0x614B680: call_dissector_with_data (packet.c:2076)
==1239==    by 0x66DE71A: call_pres_dissector (packet-ses.c:350)
==1239==    by 0x66DF5D2: dissect_spdu (packet-ses.c:993)
==1239==    by 0x66DFE5D: dissect_ses (packet-ses.c:1219)
==1239==  Address 0x61746d2008faccf0 is not stack'd, malloc'd or (recently)
free'd
==1239== 
==1239== 
==1239== Process terminating with default action of signal 11 (SIGSEGV)
==1239==  General Protection Fault
==1239==    at 0x613F44D: sl_alloc (string3.h:52)
==1239==    by 0x610EF4F: proto_tree_set_representation_value (proto.c:3610)
==1239==    by 0x615FB9D: proto_tree_add_uint_format_value (proto.c:2994)
==1239==    by 0x614243F: expert_add_info_format (expert.c:192)
==1239==    by 0x62451F1: dissect_ber_set (packet-ber.c:2883)
==1239==    by 0x662EED1: dissect_pres (pres.cnf:321)
==1239==    by 0x6149067: call_dissector_through_handle (packet.c:458)
==1239==    by 0x614990C: call_dissector_work (packet.c:549)
==1239==    by 0x614B680: call_dissector_with_data (packet.c:2076)
==1239==    by 0x66DE71A: call_pres_dissector (packet-ses.c:350)
==1239==    by 0x66DF5D2: dissect_spdu (packet-ses.c:993)
==1239==    by 0x66DFE5D: dissect_ses (packet-ses.c:1219)
~~~

The first ("invalid read of size 1") is because tvb_new_octet_aligned() is
returning an ep_alloc'd buffer which is then being added as a data source
(add_new_data_source()).  I still need to go back and read about why ep_
allocations started disappearing after dissection is complete but before we're
done displaying what we've dissected.  Anyway, this isn't causing the crash.


After adding debugability to the slab allocator in r47710, Valgrind now says
this is the cause of the crash; I'm now out of time to actually investigate the
problem:

~~~
==5296== Invalid read of size 8
==5296==    at 0x615EA7D: proto_item_append_text (proto.c:4097)
==5296==    by 0x6AB56BF: dissect_p1_MTAName (p1.cnf:691)
==5296==    by 0x62408FB: dissect_ber_choice (packet-ber.c:3398)
==5296==    by 0x6AB19AF: dissect_p1_ObjectName (p1.cnf:1203)
==5296==    by 0x6244ECE: dissect_ber_set (packet-ber.c:2850)
==5296==    by 0x6AB9421: dissect_MTSBindResult_PDU (p1.cnf:1290)
==5296==    by 0x69253A9: call_ros_oid_callback (packet-ros-template.c:196)
==5296==    by 0x62408FB: dissect_ber_choice (packet-ber.c:3398)
==5296==    by 0x6925BBF: dissect_ros_ROS (ros.cnf:196)
==5296==    by 0x6925CA7: dissect_ros (packet-ros-template.c:429)
==5296==    by 0x6149097: call_dissector_through_handle (packet.c:458)
==5296==    by 0x614993C: call_dissector_work (packet.c:549)
==5296==    by 0x614A46E: dissector_try_string (packet.c:1228)
==5296==    by 0x6247781: call_ber_oid_callback (packet-ber.c:991)
==5296==    by 0x62408FB: dissect_ber_choice (packet-ber.c:3398)
==5296==    by 0x68305EF: dissect_acse_T_encoding (acse.cnf:126)
==5296==    by 0x6246391: dissect_ber_sequence (packet-ber.c:2221)
==5296==    by 0x6830AEF: dissect_acse_EXTERNALt_U (acse.cnf:144)
==5296==    by 0x623FA97: dissect_ber_tagged_type (packet-ber.c:585)
==5296==    by 0x683072D: dissect_acse_EXTERNALt (acse.cnf:154)
==5296==    by 0x624372E: dissect_ber_sq_of (packet-ber.c:4186)
==5296==    by 0x6243E4D: dissect_ber_sequence_of (packet-ber.c:4445)
==5296==    by 0x6830B2F: dissect_acse_Association_data (acse.cnf:286)
==5296==    by 0x6246391: dissect_ber_sequence (packet-ber.c:2221)
==5296==    by 0x68309EF: dissect_acse_AARE_apdu_U (acse.cnf:249)
==5296==    by 0x623FADA: dissect_ber_tagged_type (packet-ber.c:560)
==5296==    by 0x6831555: dissect_acse_AARE_apdu (acse.cnf:101)
==5296==    by 0x62408FB: dissect_ber_choice (packet-ber.c:3398)
==5296==    by 0x6831B90: dissect_acse (acse.cnf:130)
==5296==    by 0x6149097: call_dissector_through_handle (packet.c:458)
==5296==    by 0x614993C: call_dissector_work (packet.c:549)
==5296==    by 0x614A46E: dissector_try_string (packet.c:1228)
==5296==    by 0x6247781: call_ber_oid_callback (packet-ber.c:991)
==5296==    by 0x662F203: dissect_pres_T_single_ASN1_type (pres.cnf:44)
==5296==    by 0x62408FB: dissect_ber_choice (packet-ber.c:3398)
==5296==    by 0x662E23F: dissect_pres_T_presentation_data_values
(pres.cnf:101)
==5296==    by 0x6246391: dissect_ber_sequence (packet-ber.c:2221)
==5296==    by 0x662DEFF: dissect_pres_PDV_list (pres.cnf:118)
==5296==    by 0x624372E: dissect_ber_sq_of (packet-ber.c:4186)
==5296==    by 0x6243E4D: dissect_ber_sequence_of (packet-ber.c:4445)
==5296==  Address 0x155a6ae0 is 80 bytes inside a block of size 96 free'd
==5296==    at 0x4A07786: free (vg_replace_malloc.c:446)
==5296==    by 0x35ACC4D50E: g_free (in /usr/lib64/libglib-2.0.so.0.3200.4)
==5296==    by 0x35ACC61E5E: g_slice_free1 (in
/usr/lib64/libglib-2.0.so.0.3200.4)
==5296==    by 0x61565E1: proto_tree_free_node (proto.c:593)
==5296==    by 0x6156581: proto_tree_children_foreach (proto.c:532)
==5296==    by 0x61565AA: proto_tree_free_node (proto.c:590)
==5296==    by 0x6156581: proto_tree_children_foreach (proto.c:532)
==5296==    by 0x61565AA: proto_tree_free_node (proto.c:590)
==5296==    by 0x6156581: proto_tree_children_foreach (proto.c:532)
==5296==    by 0x61565AA: proto_tree_free_node (proto.c:590)
==5296==    by 0x6156581: proto_tree_children_foreach (proto.c:532)
==5296==    by 0x61565AA: proto_tree_free_node (proto.c:590)
==5296==    by 0x6156581: proto_tree_children_foreach (proto.c:532)
==5296==    by 0x615661A: proto_tree_free (proto.c:605)
==5296==    by 0x61418B3: epan_dissect_cleanup (epan.c:236)
==5296==    by 0x41AF08: process_packet (tshark.c:3236)
==5296==    by 0x40DE9A: main (tshark.c:2978)
~~~


You are receiving this mail because:
  • You are watching all bug changes.